We will extend the capabilities of our private key management in the following aspects:
- key rotation: key pairs should get rotated automatically by the
SigningService - remote signing: it should be possible to cryptographically sign payloads "remotely", i.e. outside of EDC
Production-grade enterprise deployments of the Connector and other components will require centralized key management capabilities, where key pairs are automatically rotated to defend against key attrition. This is typically implemented by HSMs such as Hashicorp Vault.
In a similar fashion EDC will provide a feature to "remotely sign" payloads. Instead of transmitting the private key from the vault to EDC over the network, and signing the payload locally, which carries some risk of exposure, leakage, mishandling etc., EDC will transmit the payload to the vault, have the payload signed/encrypted there and transmit the signature or encrypted payload back.
With this, the private key never leaves the vault, thus avoiding any risk of key exposure or leakage.
Note that there may be a penalty on latency, especially when transmitting very large payloads, such as VerifiablePresentations that contain many large VerifiableCredentials!
- add new interface
SigningServicethat declares two methods:public interface SigningService { byte[] sign(String keyId, byte[] data); boolean verify(String keyId, byte[] signature); }
- the default implementation performs signing and verifying exactly as implemented currently, pulling keys out of the vault and performing the signing locally.
- For each vault technology, there would be a
SigningServiceimplementation - Custom implementations of
JWSSignerandJWSVerifier(from Nimbus) namedRemoteJwsSignerandRemoteJwsVerifierrespectively, will delegate signing and verifying to theSigningService. These objects are provided by an extension. - A configuration value
edc.signing.remote.enablewill be added to enable/disable remote signing
- Add
rotate(String keyId, Map<String, Object> keyProperties)method to theSigningServiceto specify the algorithm and cryptographic properties as well as the TTL (time-to-live) - IdentityHub:
KeyPairServiceImplcallsSigningService#rotate()when rotating keys - Configuration values:
edc.signing.keys.rotation.enable: enable/disable automatic rotationedc.signing.keys.rotation.algorithm: the cryptographic algorithmedc.signing.keys.rotation.ttl: time-to-live (in days) for keys, until they get rotated automatically
Note: necessary implementations on Technology repos are not listed here
| Hashicorp Vault | Azure KeyVault | AWS KMS | |
|---|---|---|---|
| Remote Signing*) | natively supported (REST) | natively supported (REST, SDK) | natively supported (REST, SDK) |
| Key Rotation | automatic and manual rotation supported via Transit Secrets Engine |
automatic and manual rotation supported via rotation policies |
automatic and manual rotation supported |
*) automatic notifications upon rotation (auto or manual) are supported, but have to be implemented using CSP-specific eventing mechanisms, such as EventBridge (AWS) or EventGrid (Azure).